US20030081784A1 - System for optimized key management with file groups - Google Patents
System for optimized key management with file groups Download PDFInfo
- Publication number
- US20030081784A1 US20030081784A1 US09/984,928 US98492801A US2003081784A1 US 20030081784 A1 US20030081784 A1 US 20030081784A1 US 98492801 A US98492801 A US 98492801A US 2003081784 A1 US2003081784 A1 US 2003081784A1
- Authority
- US
- United States
- Prior art keywords
- file
- group
- encryption
- key
- file encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- This invention relates generally to file system management.
- the invention relates to optimizing key management in a cryptographic file system.
- the typical file system (e.g., MICROSOFT WINDOWS, traditional UNIX, etc.) does not encrypt the data stored on the underlying data storage devices. Instead, the typical file system protects data as it is transferred between user and server. In an untrusted file server environment, the data storage devices are under the control of a third party who may not be fully trusted to protect the data or prevent malicious users from accessing, copying or using the stored data.
- a third party who may not be fully trusted to protect the data or prevent malicious users from accessing, copying or using the stored data.
- One solution to protecting data is for a user to encrypt the data prior to transfer to the data storage device.
- the user has the responsibility for encrypting/decrypting data and sharing the file with other users. Users may find that the personal management of the security for the file may become tiresome.
- one aspect of the invention pertains to a method of implementing a file system.
- the method includes creating a plurality of file encryption groups from a plurality of files based on common attributes of the plurality of files and associating each file encryption group of the plurality of file encryption groups with a respective key.
- the method also includes accessing one file encryption group by utilizing one respective key.
- the system includes at least one processor, a memory coupled to at least one processor, and a group manager module.
- the group manager module resides in the memory and is executed by at least one processor.
- the group manager module is configured to create a plurality of file encryption groups from a plurality of files based on common attributes of the plurality of files and is also configured to associate each file encryption group of the plurality of file encryption groups with a respective key.
- the group manager module is further configured to access one file encryption group by utilizing one respective key.
- the apparatus includes an interface configured to communicate with a storage device, an encryption/decryption module, and a manager module.
- the manager module is configured to associate a subplurality of files of a plurality of files stored on the storage device into a file group based on common attributes of the subplurality of files and encrypting the subplurality of files with one encryption key of the plurality of encryption keys by utilizing the encryption/decryption module.
- FIG. 1 illustrates block diagram of a system utilizing an embodiment of a group manager module in accordance with the principles of the present invention
- FIG. 2 illustrates an exemplary diagram of a file structure organized by the group manager module shown in FIG. 1 in accordance with an embodiment of the present invention
- FIG. 3 illustrates a diagram of an exemplary architecture of the group manager module shown in FIG. 1 in accordance with an embodiment of the present invention
- FIG. 4 illustrates an exemplary flow diagram for an operational mode of the group manager module shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention
- FIG. 5 illustrates an exemplary flow diagram for a second operational mode of the group manager module shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention.
- FIG. 6 illustrates an exemplary block diagram of a computer system where an embodiment of the present invention may be practiced.
- a group manager module may be utilized to manage files in a shared file system.
- a group manager module may provide the capability to segregate or associate files into file encryption groups.
- a file may be placed into a file encryption group based on the common attributes of the file with the other member of the file encryption group.
- the attributes may be characteristics (or parameters) that describe who has access to a file such as UNIX permission/mode bits, access control lists or other similar characteristics.
- the file may be encrypted with the associated cryptographic key (e.g., a symmetric encryption key, an asymmetric read/write key pair, or other similar key) the selected file encryption group, and thus, decrypted with the associated cryptographic key (e.g., a symmetric encryption key, an asymmetric read/write key pair, or other similar key) of the selected file encryption group.
- the associated cryptographic key e.g., a symmetric encryption key, an asymmetric read/write key pair, or other similar key
- a user may have membership into multiple file encryption groups as long as the user possesses the appropriate cryptographic keys, whereby group membership is indirectly determined through possession of a cryptographic key, rather than being explicitly maintained in some central database.
- a group manager module may be configured to determine whether to generate cryptographic keys for a new file group in response to a data (or file) creation event, i.e., file being created.
- the operating system may assign a default set of attributes (e.g., mode bits, access control lists) based on the attributes of the user (e.g., “user group1 rw-r-r-”.
- the group manager may be configured to determine a cryptographic key based on the default set of attributes.
- the group manager module may encrypt the file with the selected cryptographic key for storage on a shared file system.
- the encrypted file may be then associated with the file encryption group of the selected cryptographic key, i.e., the files that have been encrypted with the selected cryptographic key.
- the cryptographic key associated with a selected file encryption group may be a symmetric key or an asymmetric read/write key pair, which is disclosed in more detail in a commonly assigned and concurrently filed U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENSURING DATA PRIVACY AND USER DIFFERENTIATION IN A DISTRIBUTED FILE SYSTEM” (Attorney Docket No. 10017426-1/10017433-1) and is hereby incorporated by reference in its entirety.
- the associated cryptographic key of a file encryption group is a symmetric key
- the symmetric key may be randomly generated. if the associated cryptographic key of a file encryption group is a symmetric key, the symmetric key may be randomly generated..
- the read/write key pair may be generated using a symmetric crypto-algorithm such as Rivest-Shamir-Adelman (RSA) algorithm, which is discussed in U.S. Pat. No. 4,405,829 and is hereby incorporated by reference in its entirety).
- the read/write key pair may respectively decrypt/encrypt the file.
- the group manager module may be also configured to detect a change in the attributes of an encrypted file.
- An example of a change in the attributes may be an owner of the file executing a UNIX command such as ‘chmod’, ‘chown’, ‘chgrp’, or other similar commands.
- the group manager module may be further configured to determine whether the changed attributes may create a new file encryption group. If the changed attributes do not create a new file encryption group, the group manager module may be further configured to search a file encryption group table for the corresponding cryptographic key of the existing file encryption group as well as a current cryptographic key for the encrypted file.
- the group manager module may be further configured to decrypt the encrypted file with the current cryptographic key and re-encrypt the file with the corresponding cryptographic key of the existing file encryption group. Accordingly, selected files may switch file encryption data groups.
- the group manager module may be configured to generate a cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) for the new file encryption group.
- the group manager module may be also configured to encrypt the data with the new cryptographic key and store the encrypted data on a shared file system.
- the group manager module may be further configured to update the file encryption group table.
- read or write permissions to access a file are determined by other mechanisms—either the underlying UNIX system, or a scheme that differentiates based on the cryptographic keys themselves (see U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENSURING DATA PRIVACY AND USER DIFFERENTIATION IN A DISTRIBUTED FILE SYSTEM”, Attorney Docket No. 10017426-1/10017433-1)and this differentiation based on mode bits is done solely to group files with similar patterns. It is not part of the enforcement mechanism, as in existing systems.
- FIG. 1 illustrates block diagram of a system 100 where an embodiment of the present invention may be practiced.
- the system 100 includes user stations 110 , a network 120 , and a shared file system 130 .
- the user stations 110 of the system 100 may be configured to provide access to computer software applications and/or data.
- the user stations 110 may be implemented by a personal computer, a laptop computer, a workstation, a portable wireless device, and other similar computing devices.
- Each user station 110 may include an application 112 , an operating system 114 and a group manager module 115 .
- FIG. 1 illustrates an exemplary embodiment of the architecture for the user station 110 , it should be readily apparent to those of ordinary skill in the art that FIG. 1 represents a generalized schematic illustration of the user station 110 and that other components may be added or existing components may be removed without departing from the spirit or scope of the present invention.
- the application 112 may be software computer program that is executed on the user station 110 .
- the application 112 may be a word processing program, a spreadsheet program or any other type of program that generates files to be stored in the shared file system 130 .
- the application 112 may be interfaced with the operating system 114 through an application program interface (API, not shown).
- the operating system 114 may be configured to manage the software applications, data and respective hardware components (e.g., displays, disk drives, etc.) of the user station 110 .
- the operating system 114 may be implemented by MICROSOFT WINDOWS family of operating systems, UNIX, HEWLETT-PACKARD HP-UX, LINUX, RIM OS, and other similar operating systems.
- the operating system 114 of the user station 110 may be configured to interface with the group manager module 115 .
- the group manager module 115 may be configured to provide the capability of grouping files into file encryption groups based on a set of attributes associated with the file.
- the attributes may be characteristics/parameters that describe who has access to a file such as UNIX permission/mode bits (group-read/write/executable bit, owner- read/write/executable bits, users-read/write/executable bits).
- the group manager module 115 may be implemented as a software program, a utility, a subroutine, or other similar programming entity. In this respect, the group manager module 115 may be programmed using software languages such as C, C++, JAVA, etc. Alternatively, the group manager module 115 may be implemented as an electronic device utilizing an application specific integrated circuit, discrete components, solid-state components or combination thereof.
- the user stations 110 may be further configured to interface with the network 120 through a respective network interface (not shown).
- the network 120 may be configured to provide a communication channel between each user station 110 and the shared file system 130 .
- the network 120 may be a wired network (e.g., PSTN, fiber optic, etc.), wireless network (e.g., text messaging, Wireless Application Protocol, etc.), or combination thereof.
- the network 120 may be further configured to support network protocols such as Transmission Control Protocol/Internet Protocol, IEEE 802.5, Asynchronous Transfer Mode, Cellular Digital Packet Data, MOBITEX, IEEE 801.11b, and other similar network protocols.
- the shared file system 130 may be configured to provide storage of data and/or software applications for the system 100 .
- the shared file system 130 may be a network accessible disk drive and/or array of disks.
- the system 100 may include a key distribution center 140 and a group database server 150 .
- the key distribution center 140 may be configured to provide a secure method of transferring encryption/decryption keys within the system 100 .
- the group database server 150 may be configured to provide central access to the user of the system 100 for information related to file encryption groups.
- the group database server 150 may store a file encryption group table that is configured to provide a listing of encryption keys (or pointers to encryption keys) and respective file encryption group.
- the file encryption group may be defined in terms of the common attributes of the files contained in the file encryption group, for example, as shown in the following TABLE I: TABLE I owner group mode bits key User1 Group I rw-r—r-- K1 User1 Group I rw-rw-r-- K2 User2 Group I rw-rw-r-- K3 User2 Group II rwxrwxr-x K4
- an owner may create a file utilizing user station 110 .
- the group manager module 115 may be configured to detect the file creation command from the application 112 to the operating system 114 .
- the operating system may assign a set of default attributes to the newly created file based on the attributes of the file owner.
- the group manager module 115 may be also configured to search a file encryption group table to search for a corresponding cryptographic key based on the set of default attributes.
- the group manager module 115 may be further configured to encrypt the file with the corresponding cryptographic key of the selected file encryption group and forward the encrypted data for storage in the shared file system 130 (or other memory devices local or remote).
- the corresponding cryptographic key e.g., a symmetric key, an asymmetric read/write key pair, etc.
- an owner may modify attributes (e.g., UNIX file permissions: group-read/write/executable bits, user— read/write/executable bits, and owner-read/write/executable bits) of a selected file.
- attributes e.g., UNIX file permissions: group-read/write/executable bits, user— read/write/executable bits, and owner-read/write/executable bits
- ACLs access control lists
- AFS Andrew File System
- the group manager module 115 may be configured to determine whether the changed attributes may be associated with an existing file encryption group. If an existing file encryption group exists, the group manager module may be also configured to retrieve the corresponding write key for the existing file encryption group as well as the corresponding read key for the current file encryption group of the file. The group manager module may be further configured to decrypt the encrypted file with the read key and re-encrypt the file with the corresponding write key of the existing file encryption group.
- the group manager module may update the file encryption group table.
- the group manager module may be configured to maintain the file encryption group table on the user station 110 .
- the group manager module 115 may refer to the file encryption group table to determine which the association between encryption keys and file encryption groups.
- the group manager module may be configured to maintain the file encryption group table in a central location such as the group database server 150 .
- the group database server 150 may be configured to provide a central location for all users of the system 100 to determine which file encryption group a particular file belongs.
- FIG. 2 illustrates an exemplary diagram of a file structure 200 organized by the group manager module shown in FIG. 1 in accordance with an embodiment of the present invention.
- a file encryption group 210 may include a plurality of files F 1 . . . F N , where each file has been encrypted with the same key, K 1 .
- a file encryption group 220 may comprise a plurality of files F′ 1 . . . F′ N where each file has been encrypted with the key, K2 as well as file encryption group 230 may contain a plurality of files F x 1 . . . F x N, where each file has been encrypted with the key, K x .
- Each file encryption group, 210 - 230 may include a variety of files created by various owners of files. Each file is placed into their respective file encryption group, 210 - 230 , based on the attributes of each file. Access may be granted to each file encryption group, 210 - 230 , based on the possession of the respective key of each of the file encryption groups 210 - 230 . File owners may affect a file membership into file encryption groups 210 - 230 by modifying the attributes of a selected file.
- FIG. 3 illustrates a diagram of an exemplary architecture of the group manager module 115 shown in FIG. 1 in accordance with an embodiment of the present invention.
- FIG. 3 illustrates an exemplary embodiment of the group manager module 115
- FIG. 3 represents a generalized schematic illustration of the group manager module 115 and that other components may be added or existing components may be removed without departing from the spirit or scope of the present invention.
- FIG. 3 illustrates an exemplary embodiment of the group manager module 115 , where the group manager module 115 may be implemented as a hardware embodiment, a software embodiment, and/or combination thereof and such embodiments are well within the scope and spirit of the present invention.
- the group manager module 115 includes a manager module 310 , a key generation module 320 , and an encryption/decryption module 330 .
- the manager module 310 may be configured to provide management functions for the group manager module 115 .
- the manager module 310 may be configured to detect a file creation event and/or an attribute-changing event by monitoring an API 315 between the application 112 and the operating system.
- the manager module 115 may be also configured to determine which file encryption group a file belongs in response to a file attribute change event. Further details of the functionality of the manager module 115 may be explained in fuller detail herein below in conjunction with FIGS. 4 and 5.
- the manager module 310 may be further configured to interface with the key generation module 320 .
- the key generation module 320 may be configured to generate single keys or read/write key pairs for a new file encryption group.
- the key generation module 320 may crate randomly-generated keys for use in symmetric cryptographic algorithms such as DES, AES, etc., or key pairs via asymmetric cryptographic algorithms such as RSA, El-Gamal, McEliece, etc.
- the manager module 310 may be further configured to interface with the encryption/decryption module 330 .
- the encryption/decryption module 330 may be configured to provide encryption and decryption services to the group manager module 115 .
- the encryption/decryption module 330 may encode files belonging to a particular file encryption group with the appropriate encryption (e.g., a write) key.
- the encryption/decryption module 330 may also decode the encrypted files with a complementary decryption (or read key) for an authorized viewer to access the file.
- the manager module 310 may be further configured to interface with an optional file 20 encryption group table 340 .
- the file encryption group table 340 may be configured to provide a listing of encryption keys and their associated file encryption groups.
- the file encryption group table 340 may be implemented as a table, a linked-list or other similar indexing tool.
- the manager module 310 may search the file encryption group table 340 in order to determine if a file encryption group has an existing encryption key.
- the file encryption group table 340 may be optionally located in a central location such as the group database server 150 (shown in FIG. 1).
- the manager module 310 may communicate with the group database server 150 for a determination of an existing file encryption group for the file over the network 130 utilizing network communication protocols such as Ethernet, local area network, TCP/IP, etc.
- the file encryption group table 340 may be implemented with a memory such as dynamic random access memory, flash memory or other non-permanent memories.
- the file encryption group table 340 may be optionally configured with a memory access device such as a floppy disk drive, smart card, a memory stick or other similar memories. In this manner, the file encryption group table 340 may be stored on the medium of the memory device 350 . Subsequently, the medium may be stored in a secure location (e.g., a vault or locked desk drawer).
- FIG. 4 illustrates an exemplary flow diagram for an operational mode of the group manager module shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention.
- FIG. 4 illustrates a flow diagram for the group manager module 115 with the following steps, it should be readily apparent to those of ordinary skill in the art that FIG. 4 represents a generalized illustration of an embodiment of the group manager module 115 and that other steps may be added or existing steps may be removed without departing from the spirit or scope of the present invention.
- the manager module 115 of the group manager module 115 may be configured to be in idle state monitoring the API interface 315 .
- the manager module 310 may detect a data being written, i.e., a file being created.
- the operating system 114 may be configured to assign a set of default attributes based on the attributes of the file owner.
- the manager module 310 may be configured to retrieve a cryptographic key based on the set of default attributes.
- the manager module 310 may search the file encryption group table for the associated cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) for the file encryption group 340 that is defined by the set of default attributes.
- the file owner may supply the associated cryptographic key when the file owner's user account was created. Accordingly, the newly created file may be associated with a file encryption group that may define by the set of default attributes of the file owner.
- the manager module 310 may be configured to forward the associated cryptographic key and the newly created file to the encryption/decryption module 330 .
- the encryption/decryption module 330 may be configured to encrypt the newly created file with the associated cryptographic key.
- the manager module 310 may be configured to forward the encrypted file to the operating system 114 for storage.
- the manager module 310 may be configured to post-process the associated cryptographic key. Subsequently, the manager module 310 may be configured to return to the idle state of 405 .
- FIG. 5 illustrates an exemplary flow diagram for a second operational mode of the group manager module 115 shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention.
- FIG. 5 illustrates a flow diagram for the group manager module 115 with the following steps, it should be readily apparent to those of ordinary skill in the art that FIG. 5 represents a generalized illustration of an embodiment of the group manager module 115 and that other steps may be added or existing steps may be removed or modified without departing from the spirit or scope of the present invention.
- the manager module 310 of the group manager module 115 may be configured to be an idle state.
- the manager module 310 may monitor the message traffic between the application 112 and the operating system 114 by utilizing the API 315 .
- the manager module 310 may be configured to detect an attribute change in a file (e.g., an owner/user has modified the group read permission for the file).
- the manager module 310 may be also configured to determine the current file encryption group that the file belongs, in step 515 .
- the manager module 310 may retrieve the current attributes of the file and use the current attributes as an index into the file encryption group table 340 to retrieve the associated cryptographic key (e.g., a symmetric key, a read key of an asymmetric read/write key pair, etc.) for the selected file in step 520 .
- the associated cryptographic key e.g., a symmetric key, a read key of an asymmetric read/write key pair, etc.
- the manager module 310 may be configured to forward the associated cryptographic key and the selected encrypted file to the encryption/decryption module 330 , which decrypts the selected encrypted file with the associated cryptographic key.
- the manager module 310 may be configured to determine whether the changed attributes belong to a new file encryption group by utilizing the changed attributes as index into the file encryption group table 340 . If, in step 535 , the changed attributes indicate an existing file encryption group, the manager module 310 may be further configured to retrieve the cryptographic key of the existing file encryption group from the file encryption group table 340 , in step 540 . The manager module 310 may be yet further configured to encrypt the file with the retrieved cryptographic key of the existing file encryption group, in step 545 and store the encrypted file in the shared file system 130 , in step 550 .
- the manager module 310 may initiate a new cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) generation from the key generation module 320 , in step 555 .
- a new cryptographic key e.g., a symmetric key, an asymmetric read/write key pair, etc.
- the manager module 310 may be configured to forward the newly generated cryptographic key and the file to the encryption/decryption module 330 , which encrypts the file with the new cryptographic key.
- the manager module 310 may be also configured to forward the encrypted file to the operating system 114 for storage on the shared file system 130 .
- the manager module 310 may be configured to post process the new cryptographic key.
- the manager module 310 may update the file encryption group table 340 with the new cryptographic key and the associated file encryption group.
- the manager module 310 may also store the respective cryptographic key in the file encryption group table 340 .
- the file encryption group table 340 may be implemented with the group manager module 115 on a user station 110 . However, it is also contemplated that the file encryption group 340 may be also implemented in a central location of the system 100 such as a group database server 150 .
- FIG. 6 illustrates an exemplary block diagram of a computer platform 600 where an embodiment of the present invention may be practiced.
- the computing platform 600 includes one or more processors, such as processor 602 that provides an execution platform for the group manager module 115 . Commands and data from the processor 602 are communicated over a communication bus 604 .
- the computing platform 600 also includes a main memory 606 , preferably Random Access Memory (RAM), where the software for the group manager module 115 may be executed during runtime, and a secondary memory 608 .
- main memory 606 preferably Random Access Memory (RAM)
- the secondary memory 608 includes, for example, a hard disk drive 610 and/or a removable storage drive 612 , representing a floppy diskette drive, a magnetic tape drive, a compact disk drive, etc., where a copy of software for the security module 115 may be stored.
- the removable storage drive 612 reads from and/or writes to a removable storage unit 614 in a well-known manner.
- a user interfaces with the group manager module 115 with a keyboard 616 , a mouse 618 , and a display 620 .
- the display adaptor 622 interfaces with the communication bus 604 to receive display data from the processor 602 and converts the display data into display commands for the display 620 .
- the computer program may exist in a variety of forms both active and inactive.
- the computer program can exist as software program(s) comprised of program instructions in source code, object code, executable code or other formats; firmware program(s); or hardware description language (HDL) files.
- Any of the above can be embodied on a computer readable medium, which include storage devices and signals, in compressed or uncompressed form.
- Exemplary computer readable storage devices include conventional computer system RAM (random access memory), ROM (read-only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), and magnetic or optical disks or tapes.
- Exemplary computer readable signals are signals that a computer system hosting or running the present invention can be configured to access, including signals downloaded through the Internet or other networks.
- Concrete examples of the foregoing include distribution of executable software program(s) of the computer program on a CD ROM or via Internet download.
- the Internet itself, as an abstract entity, is a computer readable medium. The same is true of computer networks in general.
Abstract
Description
- The following commonly assigned applications, filed concurrently, may contain some common disclosure and may relate to the present invention. Thus, the following applications are hereby incorporated by reference:
- U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENABLING LAZY-REVOCATION THROUGH RECURSIVE KEY GENERATION” (Attorney Docket No. 10017428-1);
- U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENCRYPTED FILE STORAGE OPTIMIZATION VIA DIFFERENTIATED KEY SIZES” (Attorney Docket No. 10017431-1); and
- U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENSURING DATA PRIVACY AND USER DIFFERENTIATION IN A DISTRIBUTED FILE SYSTEM” (Attorney Docket No. 10017426-1/10017433-1).
- This invention relates generally to file system management. In particular, the invention relates to optimizing key management in a cryptographic file system.
- The typical file system (e.g., MICROSOFT WINDOWS, traditional UNIX, etc.) does not encrypt the data stored on the underlying data storage devices. Instead, the typical file system protects data as it is transferred between user and server. In an untrusted file server environment, the data storage devices are under the control of a third party who may not be fully trusted to protect the data or prevent malicious users from accessing, copying or using the stored data.
- One solution to protecting data is for a user to encrypt the data prior to transfer to the data storage device. However, the user has the responsibility for encrypting/decrypting data and sharing the file with other users. Users may find that the personal management of the security for the file may become tiresome.
- Another solution for a cryptographic file system is described in “Fast and Secure Distributed Read-Only File System,” OSDI, October 2000 written by K. Fu, M. Kaashoek and D. Mazieres, which is hereby incorporated by reference in its entirety. In this cryptographic file system, a user decides on the granularity at which the keys are to be aggregated. Unfortunately, this forces a client to manage a large number of keys and the mapping of the keys to the files, which makes it difficult for a user to share files difficult. As a result, this cryptographic file system deters people from regularly using the system.
- Yet another solution for a cryptographic file system is described in “A Cryptographic File System for UNIX,” Proceedings of 1st ACM Conference on Communications and Computing Security, 1993, written by M. Blaze, which is incorporated by reference and in its entirety. In this cryptographic file system, the file system defines the groups that are used to determine a client's (or user) access control permissions. In particular, an entire directory that is to be protected is encrypted and its access permissions are determined by the UNIX permissions of the file representing that directory. However, this example of a cryptographic file system has several drawbacks. For instance, the system administrator decides the groups defined by the file system. As a result, users tend to gravitate towards making all files either universally accessible (public) or completely closed (private), effectively voiding the usefulness of the file system.
- In accordance with the principles of the present invention, one aspect of the invention pertains to a method of implementing a file system. The method includes creating a plurality of file encryption groups from a plurality of files based on common attributes of the plurality of files and associating each file encryption group of the plurality of file encryption groups with a respective key. The method also includes accessing one file encryption group by utilizing one respective key.
- Another aspect of the present invention relates to a system for implementing a file system. The system includes at least one processor, a memory coupled to at least one processor, and a group manager module. The group manager module resides in the memory and is executed by at least one processor. The group manager module is configured to create a plurality of file encryption groups from a plurality of files based on common attributes of the plurality of files and is also configured to associate each file encryption group of the plurality of file encryption groups with a respective key. The group manager module is further configured to access one file encryption group by utilizing one respective key.
- Another aspect of the present invention pertains to an apparatus for implementing a file system. The apparatus includes an interface configured to communicate with a storage device, an encryption/decryption module, and a manager module. The manager module is configured to associate a subplurality of files of a plurality of files stored on the storage device into a file group based on common attributes of the subplurality of files and encrypting the subplurality of files with one encryption key of the plurality of encryption keys by utilizing the encryption/decryption module.
- Various features and aspects of the present invention can be more fully appreciated as the same become better understood with reference to the following detailed description of the present invention when considered in connection with the accompanying drawings, in which:
- FIG. 1 illustrates block diagram of a system utilizing an embodiment of a group manager module in accordance with the principles of the present invention;
- FIG. 2 illustrates an exemplary diagram of a file structure organized by the group manager module shown in FIG. 1 in accordance with an embodiment of the present invention;
- FIG. 3 illustrates a diagram of an exemplary architecture of the group manager module shown in FIG. 1 in accordance with an embodiment of the present invention;
- FIG. 4 illustrates an exemplary flow diagram for an operational mode of the group manager module shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention;
- FIG. 5 illustrates an exemplary flow diagram for a second operational mode of the group manager module shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention; and
- FIG. 6 illustrates an exemplary block diagram of a computer system where an embodiment of the present invention may be practiced.
- For simplicity and illustrative purposes, the principles of the present invention are described by referring mainly to an exemplary embodiment of a group manager module. However, one of ordinary skill in the art would readily recognize that the same principles are equally applicable to, and can be implemented in, all types of systems requiring file management, and that any such variation do not depart from the true spirit and scope of the present invention. Moreover, in the following detailed description, references are made to the accompanying drawings, which illustrate specific embodiments in which the present invention may be practiced. Electrical, mechanical, logical and structural changes may be made to the embodiments without departing from the spirit and scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense and the scope of the present invention is defined by the appended claims and their equivalents.
- In accordance with the principles of the present invention, a group manager module may be utilized to manage files in a shared file system. In particular, a group manager module may provide the capability to segregate or associate files into file encryption groups. A file may be placed into a file encryption group based on the common attributes of the file with the other member of the file encryption group. The attributes may be characteristics (or parameters) that describe who has access to a file such as UNIX permission/mode bits, access control lists or other similar characteristics. Once associated with a file encryption group, the file may be encrypted with the associated cryptographic key (e.g., a symmetric encryption key, an asymmetric read/write key pair, or other similar key) the selected file encryption group, and thus, decrypted with the associated cryptographic key (e.g., a symmetric encryption key, an asymmetric read/write key pair, or other similar key) of the selected file encryption group. A user may have membership into multiple file encryption groups as long as the user possesses the appropriate cryptographic keys, whereby group membership is indirectly determined through possession of a cryptographic key, rather than being explicitly maintained in some central database.
- In one aspect of the present invention, a group manager module may be configured to determine whether to generate cryptographic keys for a new file group in response to a data (or file) creation event, i.e., file being created. The operating system may assign a default set of attributes (e.g., mode bits, access control lists) based on the attributes of the user (e.g., “user group1 rw-r-r-”. The group manager may be configured to determine a cryptographic key based on the default set of attributes. The group manager module may encrypt the file with the selected cryptographic key for storage on a shared file system. The encrypted file may be then associated with the file encryption group of the selected cryptographic key, i.e., the files that have been encrypted with the selected cryptographic key.
- In yet another aspect of the present invention, the cryptographic key associated with a selected file encryption group may be a symmetric key or an asymmetric read/write key pair, which is disclosed in more detail in a commonly assigned and concurrently filed U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENSURING DATA PRIVACY AND USER DIFFERENTIATION IN A DISTRIBUTED FILE SYSTEM” (Attorney Docket No. 10017426-1/10017433-1) and is hereby incorporated by reference in its entirety. In particular, if the associated cryptographic key of a file encryption group is a symmetric key, the symmetric key may be randomly generated.. If the associated cryptographic key of a file encryption group is an asymmetric read/write key pair, the read/write key pair may be generated using a symmetric crypto-algorithm such as Rivest-Shamir-Adelman (RSA) algorithm, which is discussed in U.S. Pat. No. 4,405,829 and is hereby incorporated by reference in its entirety). The read/write key pair may respectively decrypt/encrypt the file.
- In another aspect, the group manager module may be also configured to detect a change in the attributes of an encrypted file. An example of a change in the attributes may be an owner of the file executing a UNIX command such as ‘chmod’, ‘chown’, ‘chgrp’, or other similar commands. The group manager module may be further configured to determine whether the changed attributes may create a new file encryption group. If the changed attributes do not create a new file encryption group, the group manager module may be further configured to search a file encryption group table for the corresponding cryptographic key of the existing file encryption group as well as a current cryptographic key for the encrypted file. The group manager module may be further configured to decrypt the encrypted file with the current cryptographic key and re-encrypt the file with the corresponding cryptographic key of the existing file encryption group. Accordingly, selected files may switch file encryption data groups.
- Otherwise, if the attribute change creates a new file encryption group, the group manager module may be configured to generate a cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) for the new file encryption group. The group manager module may be also configured to encrypt the data with the new cryptographic key and store the encrypted data on a shared file system. The group manager module may be further configured to update the file encryption group table.
- Accordingly, by organizing files into file encryption group where each group is indexed by a respective cryptographic key, users may be benefited by a minimization of cryptographic key for files. Files that are commonly accessed by a group of users may share the same cryptographic key as opposed to some conventional systems where each file would have its own cryptographic key. This sharing of keys is done by automatically matching the sharing structure of the system—including owners, groups, and mode bits—it does not require any centralized authority or administrator to create new groups. For example, a file with “rw-” permissions for a particular UNIX group will be in a different file encryption group than a file with only “r-” permissions for that UNIX group. This provides a more natural grouping of files and superior protection. Note that read or write permissions to access a file are determined by other mechanisms—either the underlying UNIX system, or a scheme that differentiates based on the cryptographic keys themselves (see U.S. patent application Ser. No. 09/______, entitled “SYSTEM FOR ENSURING DATA PRIVACY AND USER DIFFERENTIATION IN A DISTRIBUTED FILE SYSTEM”, Attorney Docket No. 10017426-1/10017433-1)and this differentiation based on mode bits is done solely to group files with similar patterns. It is not part of the enforcement mechanism, as in existing systems.
- FIG. 1 illustrates block diagram of a
system 100 where an embodiment of the present invention may be practiced. As shown in FIG. 1, thesystem 100 includesuser stations 110, anetwork 120, and a sharedfile system 130. - The
user stations 110 of thesystem 100 may be configured to provide access to computer software applications and/or data. Theuser stations 110 may be implemented by a personal computer, a laptop computer, a workstation, a portable wireless device, and other similar computing devices. - Each
user station 110 may include anapplication 112, anoperating system 114 and agroup manager module 115. Although, for illustrative purposes only, FIG. 1 illustrates an exemplary embodiment of the architecture for theuser station 110, it should be readily apparent to those of ordinary skill in the art that FIG. 1 represents a generalized schematic illustration of theuser station 110 and that other components may be added or existing components may be removed without departing from the spirit or scope of the present invention. - The
application 112 may be software computer program that is executed on theuser station 110. Theapplication 112 may be a word processing program, a spreadsheet program or any other type of program that generates files to be stored in the sharedfile system 130. Theapplication 112 may be interfaced with theoperating system 114 through an application program interface (API, not shown). Theoperating system 114 may be configured to manage the software applications, data and respective hardware components (e.g., displays, disk drives, etc.) of theuser station 110. Theoperating system 114 may be implemented by MICROSOFT WINDOWS family of operating systems, UNIX, HEWLETT-PACKARD HP-UX, LINUX, RIM OS, and other similar operating systems. - The
operating system 114 of theuser station 110 may be configured to interface with thegroup manager module 115. Thegroup manager module 115 may be configured to provide the capability of grouping files into file encryption groups based on a set of attributes associated with the file. The attributes may be characteristics/parameters that describe who has access to a file such as UNIX permission/mode bits (group-read/write/executable bit, owner- read/write/executable bits, users-read/write/executable bits). Thegroup manager module 115 may be implemented as a software program, a utility, a subroutine, or other similar programming entity. In this respect, thegroup manager module 115 may be programmed using software languages such as C, C++, JAVA, etc. Alternatively, thegroup manager module 115 may be implemented as an electronic device utilizing an application specific integrated circuit, discrete components, solid-state components or combination thereof. - The
user stations 110 may be further configured to interface with thenetwork 120 through a respective network interface (not shown). Thenetwork 120 may be configured to provide a communication channel between eachuser station 110 and the sharedfile system 130. Thenetwork 120 may be a wired network (e.g., PSTN, fiber optic, etc.), wireless network (e.g., text messaging, Wireless Application Protocol, etc.), or combination thereof. Thenetwork 120 may be further configured to support network protocols such as Transmission Control Protocol/Internet Protocol, IEEE 802.5, Asynchronous Transfer Mode, Cellular Digital Packet Data, MOBITEX, IEEE 801.11b, and other similar network protocols. - The shared
file system 130 may be configured to provide storage of data and/or software applications for thesystem 100. The sharedfile system 130 may be a network accessible disk drive and/or array of disks. - Optionally, the
system 100 may include akey distribution center 140 and agroup database server 150. Thekey distribution center 140 may be configured to provide a secure method of transferring encryption/decryption keys within thesystem 100. Thegroup database server 150 may be configured to provide central access to the user of thesystem 100 for information related to file encryption groups. In one contemplated embodiment, thegroup database server 150 may store a file encryption group table that is configured to provide a listing of encryption keys (or pointers to encryption keys) and respective file encryption group. The file encryption group may be defined in terms of the common attributes of the files contained in the file encryption group, for example, as shown in the following TABLE I:TABLE I owner group mode bits key User1 Group I rw-r—r-- K1 User1 Group I rw-rw-r-- K2 User2 Group I rw-rw-r-- K3 User2 Group II rwxrwxr-x K4 - In accordance with one aspect of the present invention, an owner may create a file utilizing
user station 110. Thegroup manager module 115 may be configured to detect the file creation command from theapplication 112 to theoperating system 114. The operating system may assign a set of default attributes to the newly created file based on the attributes of the file owner. Thegroup manager module 115 may be also configured to search a file encryption group table to search for a corresponding cryptographic key based on the set of default attributes. If the corresponding cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) is found (and thereby associating the file with an associated file encryption group), thegroup manager module 115 may be further configured to encrypt the file with the corresponding cryptographic key of the selected file encryption group and forward the encrypted data for storage in the shared file system 130 (or other memory devices local or remote). - In accordance with another aspect of the present invention, an owner may modify attributes (e.g., UNIX file permissions: group-read/write/executable bits, user— read/write/executable bits, and owner-read/write/executable bits) of a selected file. Alternatively, for a system using access control lists (ACLs) such as the Andrew File System (AFS), the owner may modify an associated ACL for the selected file.
- The
group manager module 115 may be configured to determine whether the changed attributes may be associated with an existing file encryption group. If an existing file encryption group exists, the group manager module may be also configured to retrieve the corresponding write key for the existing file encryption group as well as the corresponding read key for the current file encryption group of the file. The group manager module may be further configured to decrypt the encrypted file with the read key and re-encrypt the file with the corresponding write key of the existing file encryption group. - Subsequently, the group manager module may update the file encryption group table. In one contemplated embodiment, the group manager module may be configured to maintain the file encryption group table on the
user station 110. Thegroup manager module 115 may refer to the file encryption group table to determine which the association between encryption keys and file encryption groups. In another contemplated embodiment, the group manager module may be configured to maintain the file encryption group table in a central location such as thegroup database server 150. Thegroup database server 150 may be configured to provide a central location for all users of thesystem 100 to determine which file encryption group a particular file belongs. - FIG. 2 illustrates an exemplary diagram of a
file structure 200 organized by the group manager module shown in FIG. 1 in accordance with an embodiment of the present invention. As shown in FIG. 2, afile encryption group 210 may include a plurality of files F1 . . . FN, where each file has been encrypted with the same key, K1. Afile encryption group 220 may comprise a plurality of files F′1 . . . F′N where each file has been encrypted with the key, K2 as well asfile encryption group 230 may contain a plurality of files Fx 1 . . . FxN, where each file has been encrypted with the key, Kx. - Each file encryption group,210-230 may include a variety of files created by various owners of files. Each file is placed into their respective file encryption group, 210-230, based on the attributes of each file. Access may be granted to each file encryption group, 210-230, based on the possession of the respective key of each of the file encryption groups 210-230. File owners may affect a file membership into file encryption groups 210-230 by modifying the attributes of a selected file.
- FIG. 3 illustrates a diagram of an exemplary architecture of the
group manager module 115 shown in FIG. 1 in accordance with an embodiment of the present invention. Although, for illustrative purposes only, FIG. 3 illustrates an exemplary embodiment of thegroup manager module 115, it should be readily apparent to those of ordinary skill in the art that FIG. 3 represents a generalized schematic illustration of thegroup manager module 115 and that other components may be added or existing components may be removed without departing from the spirit or scope of the present invention. Moreover, since FIG. 3 illustrates an exemplary embodiment of thegroup manager module 115, where thegroup manager module 115 may be implemented as a hardware embodiment, a software embodiment, and/or combination thereof and such embodiments are well within the scope and spirit of the present invention. - As shown in FIG. 3, the
group manager module 115 includes amanager module 310, akey generation module 320, and an encryption/decryption module 330. Themanager module 310 may be configured to provide management functions for thegroup manager module 115. For example, themanager module 310 may be configured to detect a file creation event and/or an attribute-changing event by monitoring an API 315 between theapplication 112 and the operating system. Themanager module 115 may be also configured to determine which file encryption group a file belongs in response to a file attribute change event. Further details of the functionality of themanager module 115 may be explained in fuller detail herein below in conjunction with FIGS. 4 and 5. - The
manager module 310 may be further configured to interface with thekey generation module 320. Thekey generation module 320 may be configured to generate single keys or read/write key pairs for a new file encryption group. Thekey generation module 320 may crate randomly-generated keys for use in symmetric cryptographic algorithms such as DES, AES, etc., or key pairs via asymmetric cryptographic algorithms such as RSA, El-Gamal, McEliece, etc. - The
manager module 310 may be further configured to interface with the encryption/decryption module 330. The encryption/decryption module 330 may be configured to provide encryption and decryption services to thegroup manager module 115. In particular, the encryption/decryption module 330 may encode files belonging to a particular file encryption group with the appropriate encryption (e.g., a write) key. The encryption/decryption module 330 may also decode the encrypted files with a complementary decryption (or read key) for an authorized viewer to access the file. - The
manager module 310 may be further configured to interface with an optional file 20 encryption group table 340. In one contemplated embodiment, the file encryption group table 340 may be configured to provide a listing of encryption keys and their associated file encryption groups. The file encryption group table 340 may be implemented as a table, a linked-list or other similar indexing tool. Themanager module 310 may search the file encryption group table 340 in order to determine if a file encryption group has an existing encryption key. In another contemplated embodiment, the file encryption group table 340 may be optionally located in a central location such as the group database server 150 (shown in FIG. 1). Themanager module 310 may communicate with thegroup database server 150 for a determination of an existing file encryption group for the file over thenetwork 130 utilizing network communication protocols such as Ethernet, local area network, TCP/IP, etc. - The file encryption group table340 may be implemented with a memory such as dynamic random access memory, flash memory or other non-permanent memories. The file encryption group table 340 may be optionally configured with a memory access device such as a floppy disk drive, smart card, a memory stick or other similar memories. In this manner, the file encryption group table 340 may be stored on the medium of the
memory device 350. Subsequently, the medium may be stored in a secure location (e.g., a vault or locked desk drawer). - FIG. 4 illustrates an exemplary flow diagram for an operational mode of the group manager module shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention. Although, for illustrative purposes only, FIG. 4 illustrates a flow diagram for the
group manager module 115 with the following steps, it should be readily apparent to those of ordinary skill in the art that FIG. 4 represents a generalized illustration of an embodiment of thegroup manager module 115 and that other steps may be added or existing steps may be removed without departing from the spirit or scope of the present invention. - As shown in FIG. 4, in
step 405, themanager module 115 of thegroup manager module 115 may be configured to be in idle state monitoring the API interface 315. Instep 410, themanager module 310 may detect a data being written, i.e., a file being created. Theoperating system 114 may be configured to assign a set of default attributes based on the attributes of the file owner. - In
step 415, themanager module 310 may be configured to retrieve a cryptographic key based on the set of default attributes. In particular, themanager module 310 may search the file encryption group table for the associated cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) for thefile encryption group 340 that is defined by the set of default attributes. Typically, the file owner may supply the associated cryptographic key when the file owner's user account was created. Accordingly, the newly created file may be associated with a file encryption group that may define by the set of default attributes of the file owner. - In
step 420, themanager module 310 may be configured to forward the associated cryptographic key and the newly created file to the encryption/decryption module 330. The encryption/decryption module 330 may be configured to encrypt the newly created file with the associated cryptographic key. - In
step 425, themanager module 310 may be configured to forward the encrypted file to theoperating system 114 for storage. In step 430, themanager module 310 may be configured to post-process the associated cryptographic key. Subsequently, themanager module 310 may be configured to return to the idle state of 405. - FIG. 5 illustrates an exemplary flow diagram for a second operational mode of the
group manager module 115 shown in FIGS. 1 and 3 in accordance with an embodiment of the present invention. Although, for illustrative purposes only, FIG. 5 illustrates a flow diagram for thegroup manager module 115 with the following steps, it should be readily apparent to those of ordinary skill in the art that FIG. 5 represents a generalized illustration of an embodiment of thegroup manager module 115 and that other steps may be added or existing steps may be removed or modified without departing from the spirit or scope of the present invention. - As shown in FIG. 5, in
step 505, themanager module 310 of thegroup manager module 115 may be configured to be an idle state. Themanager module 310 may monitor the message traffic between theapplication 112 and theoperating system 114 by utilizing the API 315. - In
step 510, themanager module 310 may be configured to detect an attribute change in a file (e.g., an owner/user has modified the group read permission for the file). Themanager module 310 may be also configured to determine the current file encryption group that the file belongs, instep 515. In particular, themanager module 310 may retrieve the current attributes of the file and use the current attributes as an index into the file encryption group table 340 to retrieve the associated cryptographic key (e.g., a symmetric key, a read key of an asymmetric read/write key pair, etc.) for the selected file instep 520. - In
step 525, themanager module 310 may be configured to forward the associated cryptographic key and the selected encrypted file to the encryption/decryption module 330, which decrypts the selected encrypted file with the associated cryptographic key. - In
step 530, themanager module 310 may be configured to determine whether the changed attributes belong to a new file encryption group by utilizing the changed attributes as index into the file encryption group table 340. If, instep 535, the changed attributes indicate an existing file encryption group, themanager module 310 may be further configured to retrieve the cryptographic key of the existing file encryption group from the file encryption group table 340, instep 540. Themanager module 310 may be yet further configured to encrypt the file with the retrieved cryptographic key of the existing file encryption group, instep 545 and store the encrypted file in the sharedfile system 130, instep 550. - Returning to step535, if the
manager module 310 determines that the changed attributed indicate a new group, themanager module 310 may initiate a new cryptographic key (e.g., a symmetric key, an asymmetric read/write key pair, etc.) generation from thekey generation module 320, instep 555. - In
step 560, themanager module 310 may be configured to forward the newly generated cryptographic key and the file to the encryption/decryption module 330, which encrypts the file with the new cryptographic key. Instep 565, themanager module 310 may be also configured to forward the encrypted file to theoperating system 114 for storage on the sharedfile system 130. - In
step 570, themanager module 310 may be configured to post process the new cryptographic key. In particular, themanager module 310 may update the file encryption group table 340 with the new cryptographic key and the associated file encryption group. Themanager module 310 may also store the respective cryptographic key in the file encryption group table 340. - It is contemplated that the file encryption group table340 may be implemented with the
group manager module 115 on auser station 110. However, it is also contemplated that thefile encryption group 340 may be also implemented in a central location of thesystem 100 such as agroup database server 150. - FIG. 6 illustrates an exemplary block diagram of a
computer platform 600 where an embodiment of the present invention may be practiced. As shown in FIG. 6, thecomputing platform 600 includes one or more processors, such asprocessor 602 that provides an execution platform for thegroup manager module 115. Commands and data from theprocessor 602 are communicated over acommunication bus 604. Thecomputing platform 600 also includes amain memory 606, preferably Random Access Memory (RAM), where the software for thegroup manager module 115 may be executed during runtime, and asecondary memory 608. Thesecondary memory 608 includes, for example, ahard disk drive 610 and/or aremovable storage drive 612, representing a floppy diskette drive, a magnetic tape drive, a compact disk drive, etc., where a copy of software for thesecurity module 115 may be stored. Theremovable storage drive 612 reads from and/or writes to aremovable storage unit 614 in a well-known manner. A user interfaces with thegroup manager module 115 with akeyboard 616, amouse 618, and adisplay 620. Thedisplay adaptor 622 interfaces with thecommunication bus 604 to receive display data from theprocessor 602 and converts the display data into display commands for thedisplay 620. - Certain embodiments of the present invention may be performed as a computer program. The computer program may exist in a variety of forms both active and inactive. For example, the computer program can exist as software program(s) comprised of program instructions in source code, object code, executable code or other formats; firmware program(s); or hardware description language (HDL) files. Any of the above can be embodied on a computer readable medium, which include storage devices and signals, in compressed or uncompressed form. Exemplary computer readable storage devices include conventional computer system RAM (random access memory), ROM (read-only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), and magnetic or optical disks or tapes. Exemplary computer readable signals, whether modulated using a carrier or not, are signals that a computer system hosting or running the present invention can be configured to access, including signals downloaded through the Internet or other networks. Concrete examples of the foregoing include distribution of executable software program(s) of the computer program on a CD ROM or via Internet download. In a sense, the Internet itself, as an abstract entity, is a computer readable medium. The same is true of computer networks in general.
- While the invention has been described with reference to the exemplary embodiments thereof, those skilled in the art will be able to make various modifications to the described embodiments of the invention without departing from the true spirit and scope of the invention. The terms and descriptions used herein are set forth by way of illustration only and are not meant as limitations. In particular, although the method of the present invention has been described by examples, the steps of the method may be performed in a different order than illustrated or simultaneously. Those skilled in the art will recognize that these and other variations are possible within the spirit and scope of the invention as defined in the following claims and their equivalents.
Claims (21)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/984,928 US7171557B2 (en) | 2001-10-31 | 2001-10-31 | System for optimized key management with file groups |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/984,928 US7171557B2 (en) | 2001-10-31 | 2001-10-31 | System for optimized key management with file groups |
Publications (2)
Publication Number | Publication Date |
---|---|
US20030081784A1 true US20030081784A1 (en) | 2003-05-01 |
US7171557B2 US7171557B2 (en) | 2007-01-30 |
Family
ID=25531028
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/984,928 Expired - Fee Related US7171557B2 (en) | 2001-10-31 | 2001-10-31 | System for optimized key management with file groups |
Country Status (1)
Country | Link |
---|---|
US (1) | US7171557B2 (en) |
Cited By (74)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030120684A1 (en) * | 2001-12-12 | 2003-06-26 | Secretseal Inc. | System and method for providing manageability to security information for secured items |
US20030210790A1 (en) * | 2002-05-08 | 2003-11-13 | Erik Riedel | Optimizing costs associated with managing encrypted data |
US20040221164A1 (en) * | 2003-02-25 | 2004-11-04 | Thomas Birkhoelzer | Method for the encryption and decryption of data by various users |
US20050071657A1 (en) * | 2003-09-30 | 2005-03-31 | Pss Systems, Inc. | Method and system for securing digital assets using time-based security criteria |
US20050240494A1 (en) * | 2004-04-27 | 2005-10-27 | Apple Computer, Inc. | Method and system for sharing playlists |
US20060156239A1 (en) * | 2002-04-05 | 2006-07-13 | Apple Computer, Inc. | Persistent group of media items for a media device |
US20060265733A1 (en) * | 2005-05-23 | 2006-11-23 | Xuemin Chen | Method and apparatus for security policy and enforcing mechanism for a set-top box security processor |
US20070061567A1 (en) * | 2005-09-10 | 2007-03-15 | Glen Day | Digital information protection system |
US20080104416A1 (en) * | 2006-09-29 | 2008-05-01 | Challener David C | Apparatus and method for enabling applications on a security processor |
US20080243782A1 (en) * | 2007-03-28 | 2008-10-02 | Microsoft Corporation | Client collection membership evaluation |
US20090063543A1 (en) * | 2007-09-04 | 2009-03-05 | Timothy Martin | Media Asset Rating System |
US20100042654A1 (en) * | 2002-07-16 | 2010-02-18 | David Heller | Method and System for Updating Playlists |
US7681034B1 (en) | 2001-12-12 | 2010-03-16 | Chang-Ping Lee | Method and apparatus for securing electronic data |
US7703140B2 (en) | 2003-09-30 | 2010-04-20 | Guardian Data Storage, Llc | Method and system for securing digital assets using process-driven security policies |
US7707427B1 (en) | 2004-07-19 | 2010-04-27 | Michael Frederick Kenrich | Multi-level file digests |
US7729995B1 (en) | 2001-12-12 | 2010-06-01 | Rossmann Alain | Managing secured files in designated locations |
US7730543B1 (en) * | 2003-06-30 | 2010-06-01 | Satyajit Nath | Method and system for enabling users of a group shared across multiple file security systems to access secured files |
US20100150342A1 (en) * | 2008-12-16 | 2010-06-17 | Richards Ronald W | Encryption and decryption of records in accordance with group access vectors |
US7748045B2 (en) | 2004-03-30 | 2010-06-29 | Michael Frederick Kenrich | Method and system for providing cryptographic document retention with off-line access |
USRE41546E1 (en) | 2001-12-12 | 2010-08-17 | Klimenty Vainstein | Method and system for managing security tiers |
US20100220856A1 (en) * | 2009-02-27 | 2010-09-02 | Johannes Petrus Kruys | Private pairwise key management for groups |
US7792300B1 (en) * | 2003-09-30 | 2010-09-07 | Oracle America, Inc. | Method and apparatus for re-encrypting data in a transaction-based secure storage system |
US7836310B1 (en) | 2002-11-01 | 2010-11-16 | Yevgeniy Gutnik | Security system that uses indirect password-based encryption |
US7890990B1 (en) | 2002-12-20 | 2011-02-15 | Klimenty Vainstein | Security system with staging capabilities |
US20110040964A1 (en) * | 2007-12-21 | 2011-02-17 | Lawrence Edward Nussbaum | System and method for securing data |
US20110072490A1 (en) * | 2005-05-23 | 2011-03-24 | Broadcom Corporation | Method and apparatus for constructing an accss control matrix for a set-top box security |
US7921288B1 (en) | 2001-12-12 | 2011-04-05 | Hildebrand Hal S | System and method for providing different levels of key security for controlling access to secured items |
US7921450B1 (en) | 2001-12-12 | 2011-04-05 | Klimenty Vainstein | Security system using indirect key generation from access rules and methods therefor |
US7921284B1 (en) | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US7930756B1 (en) | 2001-12-12 | 2011-04-19 | Crocker Steven Toye | Multi-level cryptographic transformations for securing digital assets |
US7950066B1 (en) | 2001-12-21 | 2011-05-24 | Guardian Data Storage, Llc | Method and system for restricting use of a clipboard application |
US20110173438A1 (en) * | 2008-09-15 | 2011-07-14 | Vaultive Ltd. | Method and system for secure use of services by untrusted storage providers |
US20110191858A1 (en) * | 2003-10-31 | 2011-08-04 | Adobe Systems Incorporated | Offline access in a document control system |
US8006280B1 (en) | 2001-12-12 | 2011-08-23 | Hildebrand Hal S | Security system for generating keys from access rules in a decentralized manner and methods therefor |
US8065713B1 (en) | 2001-12-12 | 2011-11-22 | Klimenty Vainstein | System and method for providing multi-location access management to secured items |
US8127366B2 (en) | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US8176334B2 (en) | 2002-09-30 | 2012-05-08 | Guardian Data Storage, Llc | Document security system that permits external users to gain access to secured files |
US8261246B1 (en) * | 2004-09-07 | 2012-09-04 | Apple Inc. | Method and system for dynamically populating groups in a developer environment |
US8266674B2 (en) | 2001-12-12 | 2012-09-11 | Guardian Data Storage, Llc | Method and system for implementing changes to security policies in a distributed security system |
US8307067B2 (en) | 2002-09-11 | 2012-11-06 | Guardian Data Storage, Llc | Protecting encrypted files transmitted over a network |
USRE43906E1 (en) | 2001-12-12 | 2013-01-01 | Guardian Data Storage Llc | Method and apparatus for securing digital assets |
CN101944168B (en) * | 2009-07-09 | 2013-01-09 | 精品科技股份有限公司 | Electronic file authority control and management system |
US8543827B2 (en) | 2001-12-12 | 2013-09-24 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US8613102B2 (en) | 2004-03-30 | 2013-12-17 | Intellectual Ventures I Llc | Method and system for providing document retention using cryptography |
US8707034B1 (en) | 2003-05-30 | 2014-04-22 | Intellectual Ventures I Llc | Method and system for using remote headers to secure electronic files |
US8832047B2 (en) | 2005-07-27 | 2014-09-09 | Adobe Systems Incorporated | Distributed document version control |
CN104081390A (en) * | 2012-01-25 | 2014-10-01 | 三菱电机株式会社 | Data search device, data search method, data search program, data registration device, data registration method, data registration program and information processing device |
US8892495B2 (en) | 1991-12-23 | 2014-11-18 | Blanding Hovenweep, Llc | Adaptive pattern recognition based controller apparatus and method and human-interface therefore |
US20140351587A1 (en) * | 2013-05-24 | 2014-11-27 | Symantec, Inc. | Protecting cryptographic secrets using file system attributes |
US9177176B2 (en) | 2006-02-27 | 2015-11-03 | Broadcom Corporation | Method and system for secure system-on-a-chip architecture for multimedia data processing |
CN105656949A (en) * | 2016-04-01 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Access control method and system of network file system |
US9444793B2 (en) | 2008-09-15 | 2016-09-13 | Vaultive Ltd. | System, apparatus and method for encryption and decryption of data transmitted over a network |
US9489318B2 (en) | 2006-06-19 | 2016-11-08 | Broadcom Corporation | Method and system for accessing protected memory |
US9535563B2 (en) | 1999-02-01 | 2017-01-03 | Blanding Hovenweep, Llc | Internet appliance system and method |
US20170104768A1 (en) * | 2015-10-09 | 2017-04-13 | Microsoft Technology Licensing, Llc | Passive Encryption Of Organization Data |
US9652637B2 (en) | 2005-05-23 | 2017-05-16 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for allowing no code download in a code download scheme |
US9740639B2 (en) | 2011-08-30 | 2017-08-22 | Microsoft Technology Licensing, Llc | Map-based rapid data encryption policy compliance |
US9825945B2 (en) | 2014-09-09 | 2017-11-21 | Microsoft Technology Licensing, Llc | Preserving data protection with policy |
US9853820B2 (en) | 2015-06-30 | 2017-12-26 | Microsoft Technology Licensing, Llc | Intelligent deletion of revoked data |
US9853812B2 (en) | 2014-09-17 | 2017-12-26 | Microsoft Technology Licensing, Llc | Secure key management for roaming protected content |
US9900295B2 (en) | 2014-11-05 | 2018-02-20 | Microsoft Technology Licensing, Llc | Roaming content wipe actions across devices |
US9904809B2 (en) | 2006-02-27 | 2018-02-27 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for multi-level security initialization and configuration |
US9984006B2 (en) | 2014-09-17 | 2018-05-29 | Commvault Systems, Inc. | Data storage systems and methods |
US9990512B2 (en) * | 2013-03-12 | 2018-06-05 | Commvault Systems, Inc. | File backup with selective encryption |
US10033700B2 (en) | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
CN108875379A (en) * | 2018-06-27 | 2018-11-23 | 南方电网科学研究院有限责任公司 | The method, apparatus and USB flash disk of USB flash disk storing data |
US10235539B2 (en) | 2013-02-25 | 2019-03-19 | Mitsubishi Electric Corporation | Server device, recording medium, and concealed search system |
US10313371B2 (en) | 2010-05-21 | 2019-06-04 | Cyberark Software Ltd. | System and method for controlling and monitoring access to data processing applications |
US10360545B2 (en) | 2001-12-12 | 2019-07-23 | Guardian Data Storage, Llc | Method and apparatus for accessing secured electronic data off-line |
US10615967B2 (en) | 2014-03-20 | 2020-04-07 | Microsoft Technology Licensing, Llc | Rapid data protection for storage devices |
US20210051137A1 (en) * | 2019-08-16 | 2021-02-18 | Red Hat, Inc. | Asymmetric key management for cloud computing services |
US11128452B2 (en) * | 2017-03-25 | 2021-09-21 | AVAST Software s.r.o. | Encrypted data sharing with a hierarchical key structure |
US11219733B2 (en) | 2002-09-09 | 2022-01-11 | Fisher & Paykel Healthcare Limited | Limb for breathing circuit |
US11314378B2 (en) | 2005-01-07 | 2022-04-26 | Apple Inc. | Persistent group of media items for a media device |
Families Citing this family (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2402307A1 (en) * | 2000-03-10 | 2001-09-13 | Herbert Street Technologies Ltd. | A data transfer and management system |
US7478418B2 (en) * | 2001-12-12 | 2009-01-13 | Guardian Data Storage, Llc | Guaranteed delivery of changes to security policies in a distributed system |
US7631184B2 (en) * | 2002-05-14 | 2009-12-08 | Nicholas Ryan | System and method for imposing security on copies of secured items |
US7783765B2 (en) | 2001-12-12 | 2010-08-24 | Hildebrand Hal S | System and method for providing distributed access control to secured documents |
US7680849B2 (en) * | 2004-10-25 | 2010-03-16 | Apple Inc. | Multiple media type synchronization between host computer and media device |
US20050086531A1 (en) * | 2003-10-20 | 2005-04-21 | Pss Systems, Inc. | Method and system for proxy approval of security changes for a file security system |
US8627489B2 (en) | 2003-10-31 | 2014-01-07 | Adobe Systems Incorporated | Distributed document version control |
US20050138371A1 (en) * | 2003-12-19 | 2005-06-23 | Pss Systems, Inc. | Method and system for distribution of notifications in file security systems |
US7702909B2 (en) * | 2003-12-22 | 2010-04-20 | Klimenty Vainstein | Method and system for validating timestamps |
US7519908B2 (en) * | 2004-05-28 | 2009-04-14 | Sap Ag | Application server configuration tool |
CA2706145C (en) * | 2007-12-13 | 2015-06-16 | Pgp Corporation | Apparatus and method for facilitating cryptographic key management services |
JP2009181385A (en) * | 2008-01-31 | 2009-08-13 | Hitachi Ltd | Storage system, encryption key management method and encryption key management program thereof |
US8549657B2 (en) | 2008-05-12 | 2013-10-01 | Microsoft Corporation | Owner privacy in a shared mobile device |
US9027117B2 (en) | 2010-10-04 | 2015-05-05 | Microsoft Technology Licensing, Llc | Multiple-access-level lock screen |
US9880604B2 (en) | 2011-04-20 | 2018-01-30 | Microsoft Technology Licensing, Llc | Energy efficient location detection |
US8732822B2 (en) | 2011-12-16 | 2014-05-20 | Microsoft Corporation | Device locking with hierarchical activity preservation |
US8874162B2 (en) | 2011-12-23 | 2014-10-28 | Microsoft Corporation | Mobile device safe driving |
US9325752B2 (en) | 2011-12-23 | 2016-04-26 | Microsoft Technology Licensing, Llc | Private interaction hubs |
US9467834B2 (en) | 2011-12-23 | 2016-10-11 | Microsoft Technology Licensing, Llc | Mobile device emergency service |
US9710982B2 (en) | 2011-12-23 | 2017-07-18 | Microsoft Technology Licensing, Llc | Hub key service |
US20130305354A1 (en) | 2011-12-23 | 2013-11-14 | Microsoft Corporation | Restricted execution modes |
US9420432B2 (en) | 2011-12-23 | 2016-08-16 | Microsoft Technology Licensing, Llc | Mobile devices control |
US9230076B2 (en) | 2012-08-30 | 2016-01-05 | Microsoft Technology Licensing, Llc | Mobile device child share |
US9820231B2 (en) | 2013-06-14 | 2017-11-14 | Microsoft Technology Licensing, Llc | Coalescing geo-fence events |
US9998866B2 (en) | 2013-06-14 | 2018-06-12 | Microsoft Technology Licensing, Llc | Detecting geo-fence events using varying confidence levels |
GB2520489A (en) * | 2013-11-20 | 2015-05-27 | Ibm | Deletion of content in digital storage systems |
EP3516546B1 (en) * | 2016-09-19 | 2021-03-31 | Koninklijke Philips N.V. | Oblivious outsourcing of file storage |
US11710033B2 (en) | 2018-06-12 | 2023-07-25 | Bank Of America Corporation | Unsupervised machine learning system to automate functions on a graph structure |
US11646870B2 (en) | 2019-01-23 | 2023-05-09 | International Business Machines Corporation | Securing mobile device by RAM-encryption |
US11477016B1 (en) | 2019-09-10 | 2022-10-18 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11626983B1 (en) | 2019-09-10 | 2023-04-11 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11240014B1 (en) * | 2019-09-10 | 2022-02-01 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11343270B1 (en) | 2019-09-10 | 2022-05-24 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11449799B1 (en) | 2020-01-30 | 2022-09-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11838410B1 (en) | 2020-01-30 | 2023-12-05 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11322050B1 (en) * | 2020-01-30 | 2022-05-03 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
US11533175B1 (en) | 2020-01-30 | 2022-12-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography on a smartcard |
KR102222080B1 (en) * | 2020-02-24 | 2021-03-04 | 한국전자통신연구원 | Apparatus and method for authenticating quantum entity |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5495533A (en) * | 1994-04-29 | 1996-02-27 | International Business Machines Corporation | Personal key archive |
US5548648A (en) * | 1994-04-05 | 1996-08-20 | International Business Machines Corporation | Encryption method and system |
US5584023A (en) * | 1993-12-27 | 1996-12-10 | Hsu; Mike S. C. | Computer system including a transparent and secure file transform mechanism |
US5953419A (en) * | 1996-05-06 | 1999-09-14 | Symantec Corporation | Cryptographic file labeling system for supporting secured access by multiple users |
US20020166053A1 (en) * | 2001-05-02 | 2002-11-07 | Sun Microsystems, Inc. | Method, system, and program for encrypting files in a computer system |
US20030005300A1 (en) * | 2001-04-12 | 2003-01-02 | Noble Brian D. | Method and system to maintain portable computer data secure and authentication token for use therein |
US20030037248A1 (en) * | 2001-03-26 | 2003-02-20 | John Launchbury | Crypto-pointers for secure data storage |
US6577735B1 (en) * | 1999-02-12 | 2003-06-10 | Hewlett-Packard Development Company, L.P. | System and method for backing-up data stored on a portable audio player |
US6662198B2 (en) * | 2001-08-30 | 2003-12-09 | Zoteca Inc. | Method and system for asynchronous transmission, backup, distribution of data and file sharing |
US20050108240A1 (en) * | 2001-03-21 | 2005-05-19 | Microsoft Corporation | On-disk file format for a serverless distributed file system |
-
2001
- 2001-10-31 US US09/984,928 patent/US7171557B2/en not_active Expired - Fee Related
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5584023A (en) * | 1993-12-27 | 1996-12-10 | Hsu; Mike S. C. | Computer system including a transparent and secure file transform mechanism |
US5548648A (en) * | 1994-04-05 | 1996-08-20 | International Business Machines Corporation | Encryption method and system |
US5495533A (en) * | 1994-04-29 | 1996-02-27 | International Business Machines Corporation | Personal key archive |
US5953419A (en) * | 1996-05-06 | 1999-09-14 | Symantec Corporation | Cryptographic file labeling system for supporting secured access by multiple users |
US6577735B1 (en) * | 1999-02-12 | 2003-06-10 | Hewlett-Packard Development Company, L.P. | System and method for backing-up data stored on a portable audio player |
US20050108240A1 (en) * | 2001-03-21 | 2005-05-19 | Microsoft Corporation | On-disk file format for a serverless distributed file system |
US20030037248A1 (en) * | 2001-03-26 | 2003-02-20 | John Launchbury | Crypto-pointers for secure data storage |
US20030005300A1 (en) * | 2001-04-12 | 2003-01-02 | Noble Brian D. | Method and system to maintain portable computer data secure and authentication token for use therein |
US20020166053A1 (en) * | 2001-05-02 | 2002-11-07 | Sun Microsystems, Inc. | Method, system, and program for encrypting files in a computer system |
US6662198B2 (en) * | 2001-08-30 | 2003-12-09 | Zoteca Inc. | Method and system for asynchronous transmission, backup, distribution of data and file sharing |
Cited By (113)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8892495B2 (en) | 1991-12-23 | 2014-11-18 | Blanding Hovenweep, Llc | Adaptive pattern recognition based controller apparatus and method and human-interface therefore |
US9535563B2 (en) | 1999-02-01 | 2017-01-03 | Blanding Hovenweep, Llc | Internet appliance system and method |
US10033700B2 (en) | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
US8006280B1 (en) | 2001-12-12 | 2011-08-23 | Hildebrand Hal S | Security system for generating keys from access rules in a decentralized manner and methods therefor |
US9542560B2 (en) | 2001-12-12 | 2017-01-10 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US7729995B1 (en) | 2001-12-12 | 2010-06-01 | Rossmann Alain | Managing secured files in designated locations |
US7930756B1 (en) | 2001-12-12 | 2011-04-19 | Crocker Steven Toye | Multi-level cryptographic transformations for securing digital assets |
US8266674B2 (en) | 2001-12-12 | 2012-09-11 | Guardian Data Storage, Llc | Method and system for implementing changes to security policies in a distributed security system |
USRE43906E1 (en) | 2001-12-12 | 2013-01-01 | Guardian Data Storage Llc | Method and apparatus for securing digital assets |
US7921284B1 (en) | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US7921450B1 (en) | 2001-12-12 | 2011-04-05 | Klimenty Vainstein | Security system using indirect key generation from access rules and methods therefor |
US10769288B2 (en) | 2001-12-12 | 2020-09-08 | Intellectual Property Ventures I Llc | Methods and systems for providing access control to secured data |
US10360545B2 (en) | 2001-12-12 | 2019-07-23 | Guardian Data Storage, Llc | Method and apparatus for accessing secured electronic data off-line |
US7921288B1 (en) | 2001-12-12 | 2011-04-05 | Hildebrand Hal S | System and method for providing different levels of key security for controlling access to secured items |
US7681034B1 (en) | 2001-12-12 | 2010-03-16 | Chang-Ping Lee | Method and apparatus for securing electronic data |
US20030120684A1 (en) * | 2001-12-12 | 2003-06-26 | Secretseal Inc. | System and method for providing manageability to security information for secured items |
US8341407B2 (en) | 2001-12-12 | 2012-12-25 | Guardian Data Storage, Llc | Method and system for protecting electronic data in enterprise environment |
US8341406B2 (en) | 2001-12-12 | 2012-12-25 | Guardian Data Storage, Llc | System and method for providing different levels of key security for controlling access to secured items |
US7913311B2 (en) | 2001-12-12 | 2011-03-22 | Rossmann Alain | Methods and systems for providing access control to electronic data |
US8543827B2 (en) | 2001-12-12 | 2013-09-24 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US9129120B2 (en) | 2001-12-12 | 2015-09-08 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US8918839B2 (en) | 2001-12-12 | 2014-12-23 | Intellectual Ventures I Llc | System and method for providing multi-location access management to secured items |
USRE41546E1 (en) | 2001-12-12 | 2010-08-17 | Klimenty Vainstein | Method and system for managing security tiers |
US10229279B2 (en) | 2001-12-12 | 2019-03-12 | Intellectual Ventures I Llc | Methods and systems for providing access control to secured data |
US8065713B1 (en) | 2001-12-12 | 2011-11-22 | Klimenty Vainstein | System and method for providing multi-location access management to secured items |
US7950066B1 (en) | 2001-12-21 | 2011-05-24 | Guardian Data Storage, Llc | Method and system for restricting use of a clipboard application |
US8943316B2 (en) | 2002-02-12 | 2015-01-27 | Intellectual Ventures I Llc | Document security system that permits external users to gain access to secured files |
US9412417B2 (en) | 2002-04-05 | 2016-08-09 | Apple Inc. | Persistent group of media items for a media device |
US20060156239A1 (en) * | 2002-04-05 | 2006-07-13 | Apple Computer, Inc. | Persistent group of media items for a media device |
US9286484B2 (en) | 2002-04-22 | 2016-03-15 | Intellectual Ventures I Llc | Method and system for providing document retention using cryptography |
US20030210790A1 (en) * | 2002-05-08 | 2003-11-13 | Erik Riedel | Optimizing costs associated with managing encrypted data |
US7219230B2 (en) | 2002-05-08 | 2007-05-15 | Hewlett-Packard Development Company, L.P. | Optimizing costs associated with managing encrypted data |
US8103793B2 (en) | 2002-07-16 | 2012-01-24 | Apple Inc. | Method and system for updating playlists |
US20100042654A1 (en) * | 2002-07-16 | 2010-02-18 | David Heller | Method and System for Updating Playlists |
US8495246B2 (en) | 2002-07-16 | 2013-07-23 | Apple Inc. | Method and system for updating playlists |
US11219733B2 (en) | 2002-09-09 | 2022-01-11 | Fisher & Paykel Healthcare Limited | Limb for breathing circuit |
US8307067B2 (en) | 2002-09-11 | 2012-11-06 | Guardian Data Storage, Llc | Protecting encrypted files transmitted over a network |
US8176334B2 (en) | 2002-09-30 | 2012-05-08 | Guardian Data Storage, Llc | Document security system that permits external users to gain access to secured files |
USRE47443E1 (en) | 2002-09-30 | 2019-06-18 | Intellectual Ventures I Llc | Document security system that permits external users to gain access to secured files |
US7836310B1 (en) | 2002-11-01 | 2010-11-16 | Yevgeniy Gutnik | Security system that uses indirect password-based encryption |
US7890990B1 (en) | 2002-12-20 | 2011-02-15 | Klimenty Vainstein | Security system with staging capabilities |
US20040221164A1 (en) * | 2003-02-25 | 2004-11-04 | Thomas Birkhoelzer | Method for the encryption and decryption of data by various users |
US7689829B2 (en) * | 2003-02-25 | 2010-03-30 | Siemens Aktiengesellschaft | Method for the encryption and decryption of data by various users |
US8707034B1 (en) | 2003-05-30 | 2014-04-22 | Intellectual Ventures I Llc | Method and system for using remote headers to secure electronic files |
US7730543B1 (en) * | 2003-06-30 | 2010-06-01 | Satyajit Nath | Method and system for enabling users of a group shared across multiple file security systems to access secured files |
US8739302B2 (en) | 2003-09-30 | 2014-05-27 | Intellectual Ventures I Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US8127366B2 (en) | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US8327138B2 (en) | 2003-09-30 | 2012-12-04 | Guardian Data Storage Llc | Method and system for securing digital assets using process-driven security policies |
US20050071657A1 (en) * | 2003-09-30 | 2005-03-31 | Pss Systems, Inc. | Method and system for securing digital assets using time-based security criteria |
US7703140B2 (en) | 2003-09-30 | 2010-04-20 | Guardian Data Storage, Llc | Method and system for securing digital assets using process-driven security policies |
US7792300B1 (en) * | 2003-09-30 | 2010-09-07 | Oracle America, Inc. | Method and apparatus for re-encrypting data in a transaction-based secure storage system |
US20110191858A1 (en) * | 2003-10-31 | 2011-08-04 | Adobe Systems Incorporated | Offline access in a document control system |
US8479301B2 (en) * | 2003-10-31 | 2013-07-02 | Adobe Systems Incorporated | Offline access in a document control system |
US7748045B2 (en) | 2004-03-30 | 2010-06-29 | Michael Frederick Kenrich | Method and system for providing cryptographic document retention with off-line access |
US8613102B2 (en) | 2004-03-30 | 2013-12-17 | Intellectual Ventures I Llc | Method and system for providing document retention using cryptography |
US11507613B2 (en) | 2004-04-27 | 2022-11-22 | Apple Inc. | Method and system for sharing playlists |
US20060015378A1 (en) * | 2004-04-27 | 2006-01-19 | Apple Computer, Inc. | Publishing, browsing, rating and purchasing of groups of media items |
US20050240494A1 (en) * | 2004-04-27 | 2005-10-27 | Apple Computer, Inc. | Method and system for sharing playlists |
US9715500B2 (en) | 2004-04-27 | 2017-07-25 | Apple Inc. | Method and system for sharing playlists |
US7707427B1 (en) | 2004-07-19 | 2010-04-27 | Michael Frederick Kenrich | Multi-level file digests |
US8301896B2 (en) | 2004-07-19 | 2012-10-30 | Guardian Data Storage, Llc | Multi-level file digests |
US8261246B1 (en) * | 2004-09-07 | 2012-09-04 | Apple Inc. | Method and system for dynamically populating groups in a developer environment |
US11314378B2 (en) | 2005-01-07 | 2022-04-26 | Apple Inc. | Persistent group of media items for a media device |
US7913289B2 (en) * | 2005-05-23 | 2011-03-22 | Broadcom Corporation | Method and apparatus for security policy and enforcing mechanism for a set-top box security processor |
US20060265733A1 (en) * | 2005-05-23 | 2006-11-23 | Xuemin Chen | Method and apparatus for security policy and enforcing mechanism for a set-top box security processor |
US20110072490A1 (en) * | 2005-05-23 | 2011-03-24 | Broadcom Corporation | Method and apparatus for constructing an accss control matrix for a set-top box security |
US8347357B2 (en) | 2005-05-23 | 2013-01-01 | Broadcom Corporation | Method and apparatus for constructing an access control matrix for a set-top box security processor |
US9652637B2 (en) | 2005-05-23 | 2017-05-16 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for allowing no code download in a code download scheme |
US8832047B2 (en) | 2005-07-27 | 2014-09-09 | Adobe Systems Incorporated | Distributed document version control |
US20070061567A1 (en) * | 2005-09-10 | 2007-03-15 | Glen Day | Digital information protection system |
US9904809B2 (en) | 2006-02-27 | 2018-02-27 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for multi-level security initialization and configuration |
US9177176B2 (en) | 2006-02-27 | 2015-11-03 | Broadcom Corporation | Method and system for secure system-on-a-chip architecture for multimedia data processing |
US9489318B2 (en) | 2006-06-19 | 2016-11-08 | Broadcom Corporation | Method and system for accessing protected memory |
US8099789B2 (en) | 2006-09-29 | 2012-01-17 | Lenovo (Singapore) Pte. Ltd. | Apparatus and method for enabling applications on a security processor |
US20080104416A1 (en) * | 2006-09-29 | 2008-05-01 | Challener David C | Apparatus and method for enabling applications on a security processor |
US20080243782A1 (en) * | 2007-03-28 | 2008-10-02 | Microsoft Corporation | Client collection membership evaluation |
US20090063543A1 (en) * | 2007-09-04 | 2009-03-05 | Timothy Martin | Media Asset Rating System |
US8046369B2 (en) | 2007-09-04 | 2011-10-25 | Apple Inc. | Media asset rating system |
US20110040964A1 (en) * | 2007-12-21 | 2011-02-17 | Lawrence Edward Nussbaum | System and method for securing data |
US8806207B2 (en) * | 2007-12-21 | 2014-08-12 | Cocoon Data Holdings Limited | System and method for securing data |
US9444793B2 (en) | 2008-09-15 | 2016-09-13 | Vaultive Ltd. | System, apparatus and method for encryption and decryption of data transmitted over a network |
US20110173438A1 (en) * | 2008-09-15 | 2011-07-14 | Vaultive Ltd. | Method and system for secure use of services by untrusted storage providers |
US10025940B2 (en) | 2008-09-15 | 2018-07-17 | Vaultive Ltd. | Method and system for secure use of services by untrusted storage providers |
US9369281B2 (en) * | 2008-09-15 | 2016-06-14 | Vaultive Ltd. | Method and system for secure use of services by untrusted storage providers |
US20100150342A1 (en) * | 2008-12-16 | 2010-06-17 | Richards Ronald W | Encryption and decryption of records in accordance with group access vectors |
US8412957B2 (en) * | 2008-12-16 | 2013-04-02 | SAP France S.A. | Encryption and decryption of records in accordance with group access vectors |
US8983066B2 (en) * | 2009-02-27 | 2015-03-17 | Cisco Technology, Inc. | Private pairwise key management for groups |
US20100220856A1 (en) * | 2009-02-27 | 2010-09-02 | Johannes Petrus Kruys | Private pairwise key management for groups |
CN101944168B (en) * | 2009-07-09 | 2013-01-09 | 精品科技股份有限公司 | Electronic file authority control and management system |
US10313371B2 (en) | 2010-05-21 | 2019-06-04 | Cyberark Software Ltd. | System and method for controlling and monitoring access to data processing applications |
US9740639B2 (en) | 2011-08-30 | 2017-08-22 | Microsoft Technology Licensing, Llc | Map-based rapid data encryption policy compliance |
CN104081390A (en) * | 2012-01-25 | 2014-10-01 | 三菱电机株式会社 | Data search device, data search method, data search program, data registration device, data registration method, data registration program and information processing device |
USRE48146E1 (en) | 2012-01-25 | 2020-08-04 | Mitsubishi Electric Corporation | Data search device, data search method, computer readable medium storing data search program, data registration device, data registration method, computer readable medium storing data registration program, and information processing device |
US10235539B2 (en) | 2013-02-25 | 2019-03-19 | Mitsubishi Electric Corporation | Server device, recording medium, and concealed search system |
US11042663B2 (en) | 2013-03-12 | 2021-06-22 | Commvault Systems, Inc. | Automatic file encryption |
US10445518B2 (en) | 2013-03-12 | 2019-10-15 | Commvault Systems, Inc. | Automatic file encryption |
US9990512B2 (en) * | 2013-03-12 | 2018-06-05 | Commvault Systems, Inc. | File backup with selective encryption |
US11928229B2 (en) | 2013-03-12 | 2024-03-12 | Commvault Systems, Inc. | Automatic file encryption |
US9171145B2 (en) * | 2013-05-24 | 2015-10-27 | Symantec Corporation | Protecting cryptographic secrets using file system attributes |
US20140351587A1 (en) * | 2013-05-24 | 2014-11-27 | Symantec, Inc. | Protecting cryptographic secrets using file system attributes |
US10615967B2 (en) | 2014-03-20 | 2020-04-07 | Microsoft Technology Licensing, Llc | Rapid data protection for storage devices |
US9825945B2 (en) | 2014-09-09 | 2017-11-21 | Microsoft Technology Licensing, Llc | Preserving data protection with policy |
US9853812B2 (en) | 2014-09-17 | 2017-12-26 | Microsoft Technology Licensing, Llc | Secure key management for roaming protected content |
US9984006B2 (en) | 2014-09-17 | 2018-05-29 | Commvault Systems, Inc. | Data storage systems and methods |
US9900295B2 (en) | 2014-11-05 | 2018-02-20 | Microsoft Technology Licensing, Llc | Roaming content wipe actions across devices |
US9853820B2 (en) | 2015-06-30 | 2017-12-26 | Microsoft Technology Licensing, Llc | Intelligent deletion of revoked data |
US9900325B2 (en) * | 2015-10-09 | 2018-02-20 | Microsoft Technology Licensing, Llc | Passive encryption of organization data |
US20170104768A1 (en) * | 2015-10-09 | 2017-04-13 | Microsoft Technology Licensing, Llc | Passive Encryption Of Organization Data |
CN105656949A (en) * | 2016-04-01 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Access control method and system of network file system |
US11128452B2 (en) * | 2017-03-25 | 2021-09-21 | AVAST Software s.r.o. | Encrypted data sharing with a hierarchical key structure |
CN108875379A (en) * | 2018-06-27 | 2018-11-23 | 南方电网科学研究院有限责任公司 | The method, apparatus and USB flash disk of USB flash disk storing data |
US20210051137A1 (en) * | 2019-08-16 | 2021-02-18 | Red Hat, Inc. | Asymmetric key management for cloud computing services |
US11539678B2 (en) * | 2019-08-16 | 2022-12-27 | Red Hat, Inc. | Asymmetric key management for cloud computing services |
Also Published As
Publication number | Publication date |
---|---|
US7171557B2 (en) | 2007-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7171557B2 (en) | System for optimized key management with file groups | |
US7219230B2 (en) | Optimizing costs associated with managing encrypted data | |
US7200747B2 (en) | System for ensuring data privacy and user differentiation in a distributed file system | |
US7827403B2 (en) | Method and apparatus for encrypting and decrypting data in a database table | |
US11057355B2 (en) | Protecting documents using policies and encryption | |
US9411749B2 (en) | Chunk-level client side encryption in hierarchical content addressable storage systems | |
US7203317B2 (en) | System for enabling lazy-revocation through recursive key generation | |
CA2623141C (en) | Content cryptographic firewall system | |
Vimercati et al. | Encryption policies for regulating access to outsourced data | |
US7313694B2 (en) | Secure file access control via directory encryption | |
CA2417516C (en) | Method and apparatus for automatic database encryption | |
US7792300B1 (en) | Method and apparatus for re-encrypting data in a transaction-based secure storage system | |
CA2520669C (en) | Method and apparatus for encrypting database columns | |
US7315859B2 (en) | Method and apparatus for management of encrypted data through role separation | |
US20070011749A1 (en) | Secure clipboard function | |
US20070011469A1 (en) | Secure local storage of files | |
US20100095118A1 (en) | Cryptographic key management system facilitating secure access of data portions to corresponding groups of users | |
US20070016771A1 (en) | Maintaining security for file copy operations | |
US7003116B2 (en) | System for encrypted file storage optimization via differentiated key lengths | |
KR101613146B1 (en) | Method for encrypting database | |
US11811907B2 (en) | Data processing permits system with keys | |
WO2020206953A1 (en) | Data processing method and system | |
US8769302B2 (en) | Encrypting data and characterization data that describes valid contents of a column | |
CN116090000A (en) | File security management method, system, device, medium and program product | |
KR100594886B1 (en) | System and Method for Security of Database |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: HEWLETT-PACKARD COMPANY, COLORADO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KALLAHALLA, MAHESH;RIEDE, ERIK;SWAMINATHAN, RAM;REEL/FRAME:012725/0811 Effective date: 20011030 |
|
AS | Assignment |
Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY L.P., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:014061/0492 Effective date: 20030926 Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY L.P.,TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:014061/0492 Effective date: 20030926 |
|
CC | Certificate of correction | ||
FPAY | Fee payment |
Year of fee payment: 4 |
|
REMI | Maintenance fee reminder mailed | ||
LAPS | Lapse for failure to pay maintenance fees | ||
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20150130 |